Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

TM112: Block 3 > part 5, IT and the law > Flashcards

part 5, IT and the law Flashcards

1
Q

this is an E.Ulaw that came into force in 2014 and allows individuals to have personal data about them removed from search engines if it is untrue or no longer relevant

A

what is the

right to be forgotten

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

this allows:

  1. Unauthorized access to a database
  2. Viewing restricted content of a database
  3. Changing or deleting the contents of the database
  4. reconnoitre a site before performing a serious attack
A

what 4 actions does an

SQL injection (SQLi)

allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Section 171(1) of the General Data Protection egulation (GDPR) may allow this if:

  1. with a view to testing the effectiveness of the de-identification of personal data,
  2. without intending to cause, or threaten to cause, damage or distress to a person, and
  3. in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.
A

under which 3 circumstances would Section 171(1) of the General Data Protection egulation (GDPR) allow for the

de-anonimisation of anonimised data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

talk talk were attacked in july, september and october of 2015

A

in 2015 which months were talk talk attacked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

this section is concerned with

unauthorised access intending to commit or assist the commission of further offences

A

what is

section 2 of the Computer Misuse Act (CMA) 1990

concerned with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is a

query string

A

this is part of a websites Uniform Resource Locator (URL). it does not determine the address of the web page but instead is a method of transmitting data. for example from a web form to a server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

from this company attackers stole:

  1. 157,000 customer accounts were stolen, including information such as names and addresses, dates of birth, email and telephone details, as well as account information
  2. attackers stole complete bank or credit card records belonging to 16,000 customers
  3. partial banking details of a further 28,000 customers
A

in october 2015 what

data was stolen from talk talk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what are the two

overriding provisions

of the

General Data Protection Regulation (GDPR)

A

these include:

  1. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection or appropriate safeguards for the rights and freedoms of data subjects in relation to the processing of personal data; or there are special circumstances meaning the transfer is necessary.
  2. Personal data shall be processed in accordance with the rights of data subjects i.e. there must be respect for fundamental rights.

(Open University, 2022)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what did the

Data Protection Act 1998

introduce / acknowledge

A

this piece of legislation explicitly acknowledges the privacy rights of individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

access to this was provide through a terminal that cost £650 with that you would also have to pay for a quarterly subscription of £5 and a 5p page per view during peak hours

A

how could you gain access to the

prestel service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what is

Section 3a of the Computer Misuse Act (CMA) 1990

A

This is an amendment that has been made and states that it is a criminal act to develop or supply either software or data that may be used in a crime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

to be charged under this it must be proven that:

  1. The prosecuted had a desire to perform the crime
  2. The prosecuted took action to perform the crime

example

gaining access where you shouldnt have by accident means that you have met criteria 2 but have not met criteria 1, therfore you cannot be charged under this act

similarly if you plan an attack you have met criteria 1 but until action is taken criteria 2 you cannot be charged under this act

A

which two criteria must be met in order to be sentenced under the

Computer Misuse Act (CMA) 1990

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

YES

under Section 171(1) of the law states:

“It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data”

A

does the General Data Protection Regulation (GDPR)

prohibit the act of de-anonimizing data that has been anonimised

such as pseudonymisation data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

some knowledge an attacker may gain from using these are:

  1. which querys were successfully executed
  2. which tables do/do not exist
  3. what data does/does not exist
A

what knowledge could an attacker gain from your database by

receiving error messages

during an SQL injection (SQLi) attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

how do

databases allow webpages to be dynamic in nature

and at the same time avoids creating millions of different web pages for each user

A

a web page can usually be implemented as a template which can

have data entered into it depending on the situation such as who is logging in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

what happens when

restrictions are placed on query strings

to prevent an SQL injection (SQLi) attack

A

when taking this action the script that tuns query strings into queries will ensure that it only accepts:

  1. queries with a fixed amount of parameters
  2. Queries with parameters of certain types

Example

If the script only expects two parameters (name and date) and those parameters must be formatted a certain way or be a certain type then any other query strings that it encounters will be discarded and not passed to the database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

how can

Principle 6, Integrity and confidentiality (security)

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

A

this can be described / summarised as:

The sixth data protection principle is that personal data processed for any purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage). (Open University, 2022)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

what is the

computer misuse act (CMA) 1990

concerned with

A

this act is concerned with unautharised access or modification to a computer as well as any crimes carried out with a computer and/or threats to life through use of a computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

in the U.K this position is taken by the

Information Commissioner’s Office (ICO)

A

general data potection regulation (GDPR) ensures that each member state has a supervisory authority (SA) which oversees data protection

what is the name of the

U.Ks supervisory authority (SA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. their profits halved
  2. they spent £60 million upgrading their systems
  3. their shares dropped
  4. 101,000 customers were lost in the 3 months following the attack
  5. they were fined £400,000 for being in breach of the data protection act (DPA) 1998
A

in the aftermath of the october 2015 attack on talk talk what were the implications for the company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what does

subsection 2(5) of the Computer Misuse Act (CMA) 1990

state

A

this lists punishments under section 2 and states that there is an up to 5 year pison sentence for most serious crimes. It also states that you can be charged with additional offences as well as section 2 such as when you commit theft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

this type of conviction is whee a jury will be involved in the case

A

what is a

conviction of indictment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

what is a

conviction of indictment

A

this type of conviction is whee a jury will be involved in the case

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

what is

Section 3za of the Computer Misuse Act (CMA) 1990

A

This is another amendment which has been made to the Computer Misuse Act (CMA) 1990. it covers the most serious of computer crimes where human life has been has been harmed such as:

  1. Disrupting food,water or energy supplies
  2. Disrupting communication or transport networks
  3. Damage or disrupt healthcare
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

what does

subsection 2(2) of the Computer Misuse Act (CMA) 1990

state

A

This lists the types of crimes covered by section 2 such as: fraud, forgery, theft and criminal damage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

how does

turning off error messages

help prevent an SQL injection (SQLi) attack

A

the reason this prevent an SQL injection (SQLi) attack is because an attacker can use these to gain a better understanding of the structure of your database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

what 3 purposes does the

Geneal Data Protection Regulation (GDPR)

serve

A

this:

  1. Provide a set of rules concerning data that would be enforced by every E.U member state. This makes doing business much easier in cases where data processing of a certain type would have been illegal in one country but not another
  2. protects the data of EU citizens by place responsibility of protecting that data on to companies.
  3. protects EU citizens data even when it is not being processed in the EU since the law extends to any country processing EU citizens data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

name 5 requirements that the

General Data Protection Regulation (GDPR)

places on developers / companies

A

this requires that:

  1. developers to think about the privacy of users data from the outset not just when the system is finished
  2. companies process as little data as possible
  3. companies only collect what they need to complete the task
  4. personal data is deleted when no longer needed
  5. data may not be passed to other organisations without permission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

by taking this action on a database:

  1. it makes it harder for an attacker to understand the structure of your database
  2. it increases the likeelihood that the attacker will be caught before carrying out a real attack
A

how does

turning of database error messages

make it harder for an attacker to perform an SQL injection (SQLi) attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

this term covers any of the following acts:

  1. Collecting new data
  2. Using existing data
  3. Sharing data
  4. Disclosing or displaying data
  5. Data storage
  6. Data disposal
A

according to the Data Protection Act (DPA) what does the term

data processing

encompass

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

when this occurs within the query string they are separated by ampersands (&)

A

if

multiple parameters and their values are contained within a query string

how are they separated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

for you to be charged with this section some actions might be:

  1. Denial of service
  2. Introducing malware
A

name two actions taken on a computer that would be chargeable under

Section 3 of the Computer Misuse Act (CMA) 1990

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

this is part of a websites Uniform Resource Locator (URL). it does not determine the address of the web page but instead is a method of transmitting data. for example from a web form to a server

A

what is a

query string

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

what are the 7

Data Protection Principles

included in article 5 of the General Data Protection Regulation (GDPR)

A

this includes:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

what is

section 1 of the Computer Misuse Act (CMA) 1990

concerned with

A

this section is concerned with

unauthorised access to computer material

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

this piece of legislation explicitly acknowledges the privacy rights of individuals.

A

what did the

Data Protection Act 1998

introduce / acknowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

this is a type of attack where an attacker does not know the structure of your database. instead they issue querys in hope that they will be executed by the database.

A

what is

blind injection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

in the aftermath of the october 2015 attack on talk talk what were the implications for the company

A
  1. their profits halved
  2. they spent £60 million upgrading their systems
  3. their shares dropped
  4. 101,000 customers were lost in the 3 months following the attack
  5. they were fined £400,000 for being in breach of the data protection act (DPA) 1998
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

what must organisations adhere to in order to remain complient with the General Data Protection Regulation (GDPR)

A

in order to remain complient with this they must adhere to the seven core

Data Protection Principles of article 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

to be charged under this section:

  1. the user intends to gain access to the computer; and
  2. they are not authorised to do so; and
  3. they are aware that their actions are not authorised by the computer’s owner.
A

what 3 criteria must be met to be

charged with section 1 of the Computer Misuse Act (CMA) 1990

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

how does

turning of database error messages

make it harder for an attacker to perform an SQL injection (SQLi) attack

A

by taking this action on a database:

  1. it makes it harder for an attacker to understand the structure of your database
  2. it increases the likeelihood that the attacker will be caught before carrying out a real attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

to protect this type of data:

  1. Encrypt data
  2. Seperate this data from the algorithm
  3. Seperate this data from the data it was created from
A

what measures should be taken to protect

Pseudonymisation data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

if an organisation in the U.K breaches the General Data Protection Regulation (GDPR) this body may:

place punishments of €20 million or 4% of an organisation’s total worldwide annual turnover of the preceding financial year, whichever is higher. For not complying with this law

A

if someone in the U.K is in breach of the General Data Protection Regulation (GDPR) what is the maximum punishment that can be placed on an organisation by the

Information Commisionoers Office (ICO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

how could you gain access to the

prestel service

A

access to this was provide through a terminal that cost £650 with that you would also have to pay for a quarterly subscription of £5 and a 5p page per view during peak hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

this type of conviction is where no jury is involved in the sentencing instead only a judge or majistrate handles the case

A

what is a

summary conviction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

the worst attack that talk talk saw in 2015 was in october

A

which month of 2015 saw the hardest hitting attack on talk talk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

this can be described / summarised as:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any purposes. (Open University, 2022)

A

how can

Principle 5, Storage limitation

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

to prevent an

error-based SQLi

what 3 actions can be taken

A

to prevent this the following can be implemented:

  1. Ideally error messages are turned off entirely for a public facing database
  2. error messages are logged to a local file for public facing database
  3. srror messages are only to be used for offline development of a database
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

what content did prestel deliver to its subscribers

A

this delivered to its subscribers:

  1. news, train times, etc
  2. the first email service in the ukintroduced the worlds first online 3.
  3. banking service through the Bank of Scotland and the Nottingham Building Society
  4. It also introduce the worlds first online theatre ticket purchase and grocerry shopping
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

how can

Principle 3, Data minimisation

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

A

this can be described / summarised as:

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. (Open University, 2022)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

what is

blind injection

A

this is a type of attack where an attacker does not know the structure of your database. instead they issue querys in hope that they will be executed by the database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

this also introduced into U.K law

  1. relations to national security
  2. duties of the Information Commissioner’s Office (ICO)
  3. EU Data Protection Directive 2016/680 (Law Enforcement Directive)
A

the

Data Protection Act (DPA) 2018

introduces europes general data protection regulation (GDPR) but what 3 other things did it incorporate into law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

this works by replacing a legitimate query string with one that is malicious

A

how does an

SQL injection (SQLi) attack

work

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

this is a process that is implemented in order to protect the real identity of an individual

example

Henry has Type 1 diabetes

Patient 37815 has Type 1 diabetes

A

what is

Pseudonymisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

what is a

query language

A

this is a specialised language that is used to communicate with databases. the most common is Structured Query Language (SQL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

what is

Pseudonymisation

A

this is a process that is implemented in order to protect the real identity of an individual

example

Henry has Type 1 diabetes

Patient 37815 has Type 1 diabetes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

what are 2 methods that can be taken to

sanitise query strings

and prevent an SQL injection (SQLi) attack

A

2 methods that can be used to implement this are:

  1. restricting query strings
  2. parsing query strings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

in order to remain complient with this they must adhere to the seven core

Data Protection Principles of article 5

A

what must organisations adhere to in order to remain complient with the General Data Protection Regulation (GDPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

2 methods that can be used to implement this are:

  1. restricting query strings
  2. parsing query strings
A

what are 2 methods that can be taken to

sanitise query strings

and prevent an SQL injection (SQLi) attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

what does

subsection 2(3) of the Computer Misuse Act (CMA) 1990

state

A

states that further offences committed after gaining access to the computer (section 1) does not need to happen immediately to be charged. Simply if customer details were stolen and then six months later those details were used to commit faud to those users, you can still be charged.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

these include:

  1. consent - There must be clear and specific, up-front statement of consent on the part of the individual; and specific consent for each use of the data
  2. contract - one of the options of choice for many large organisations looking to circumvent the consent rules.
  3. Legal obligation - e.g. the organisation may need to process the data to comply with national security related obligations under a law like the Investigatory Powers Act of 2016.
  4. Vital interests - e.g. processing the data to protect someone’s life.
  5. Public task - e.g. duties carried out by a public authority in the public interest.
  6. Legitimate interests – the Information Commisioners Office (ICO) describes this as “the most flexible lawful basis for processing… where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact”.
A

what are the six

lawful bases upon which the Data Protection Act (DPA) 2018 allows organisations to process data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

the reason this prevent an SQL injection (SQLi) attack is because an attacker can use these to gain a better understanding of the structure of your database

A

how does

turning off error messages

help prevent an SQL injection (SQLi) attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

according to section 3(2) of the Data Protection Act (DPA)

what is personal data?

A

this describes it as

any information relating to an identified or identifiable living individual.

side note

Some observations of this are:

  1. It does not cover data about dead people
  2. It does not protect anonymised information
  3. Does not protect data about pets
  4. Etc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

which two criteria must be met in order to be sentenced under the

Computer Misuse Act (CMA) 1990

A

to be charged under this it must be proven that:

  1. The prosecuted had a desire to perform the crime
  2. The prosecuted took action to perform the crime

example

gaining access where you shouldnt have by accident means that you have met criteria 2 but have not met criteria 1, therfore you cannot be charged under this act

similarly if you plan an attack you have met criteria 1 but until action is taken criteria 2 you cannot be charged under this act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

these two journalist were initially found guilty of forgery and counterfeiting

A

what was

Robert Schifreen and fellow journalist stephen gold

initially found guilty off

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

this act meant that any public and private companies holding personal data must register with a data protection registrar who also enforced the law, however an individuals right to privacy was not covered by this piece of legislation

A

what did the

Data Protection Act (DPA) 1984

introduce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

in october 2015 talk talk had been a victim of an

SQL injection (SQLi) attack

A

in october 2015 what type of attack was talk talk subject to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

what is the

right to be forgotten

A

this is an E.Ulaw that came into force in 2014 and allows individuals to have personal data about them removed from search engines if it is untrue or no longer relevant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

what was proposed after the appeal ruling of robert shifreen and stephen gold

A

after the appeal ruling it was proposed by the courts that legislators would have to decide if new laws should be put in place to restrict the act of unauthorised access to a computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

descibe what

sensitive data

is

A

this is any personal data that could be used against a person for reasons such as:

  1. discrimination
  2. persecution because of beliefs or being

because of these reasons there are a wide range of protections in place for this type of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

what claim did journalists Robert Schifreen and fellow stephen gold make during their appeal and did the judge agree

A

the claim that Robert Schifreen and fellow journalist stephen gold made during their appeal was that

the act they were charged under was never meant to be used in such a case as theirs

the judge agreed with this claim and dropped all charges in 1988

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

because some software can be used in a criminal way but at the same time have legitimate uses such as assesing the security of a system what considerations before being charged with

Section 3a of the Computer Misuse Act (CMA) 1990

have been recommended to asses

A

Some considerations of using this section are:

  1. Was the software developed to obtain unauthorised access to a computer? For instance, malware clearly obtains unauthorised access to data.
  2. Does the software have a legitimate purpose, such as testing a network’s security?
  3. What was the context in which the software was used to commit the offence, compared with its original intended purpose?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

when

restricting permissions

to prevent an SQL injection (SQLi) attack what two actions can be put into place

A

when using this technique to prevent an SQL injection (SQLi) attack we can:

  1. restrict what data a web page can see from a database
  2. restrict what actions a web page can take on a database such as deleting or modifying

restrictions such as these ensures that even if a malicious query string is sent to a server it will never be executed by the database because of the lack of permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

this will begin after a question mark symbol (?) within the Uniform Resource Locator (URL)

A

where does a

query string

begin within a

Uniform Resource Locator (URL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

what knowledge could an attacker gain from your database by

receiving error messages

during an SQL injection (SQLi) attack

A

some knowledge an attacker may gain from using these are:

  1. which querys were successfully executed
  2. which tables do/do not exist
  3. what data does/does not exist
76
Q

what does

subsection 2(4) of the Computer Misuse Act (CMA) 1990

state

A

states that you can still be charged under section 2 even if there was no way that you could have been successful. Such cases might be where an attacker did not have the required skills, the system they tried to attack had preventative measures etc

77
Q

this lists punishments under section 2 and states that there is an up to 5 year pison sentence for most serious crimes. It also states that you can be charged with additional offences as well as section 2 such as when you commit theft

A

what does

subsection 2(5) of the Computer Misuse Act (CMA) 1990

state

78
Q

Some considerations of using this section are:

  1. Was the software developed to obtain unauthorised access to a computer? For instance, malware clearly obtains unauthorised access to data.
  2. Does the software have a legitimate purpose, such as testing a network’s security?
  3. What was the context in which the software was used to commit the offence, compared with its original intended purpose?
A

because some software can be used in a criminal way but at the same time have legitimate uses such as assesing the security of a system what considerations before being charged with

Section 3a of the Computer Misuse Act (CMA) 1990

have been recommended to asses

79
Q

what sentences does

Section 3za of the Computer Misuse Act (CMA) 1990

hold

A

This holds the highest of penalties under the Computer Misuse Act (CMA) 1990. with the least serious offences being 14 years in jail and the most serious being life in jail

80
Q

this is any personal data that could be used against a person for reasons such as:

  1. discrimination
  2. persecution because of beliefs or being

because of these reasons there are a wide range of protections in place for this type of personal data

A

descibe what

sensitive data

is

81
Q

who developed prestel and what was its lifetime

A

this was developed by the british post office in 1979 and eventually ceased its service in 1991

82
Q

customers data was posted online and some customers were even receiving fraudulent calls such as:

  1. Being tricked into making payments
  2. Giving away more banking information
  3. Tricking the user to install malware on to their own systems
A

in the aftermath of the october 2015 attack on talk talk what happened with the customer data that was stolen

83
Q

according to the Data Protection Act (DPA) what does the term

data processing

encompass

A

this term covers any of the following acts:

  1. Collecting new data
  2. Using existing data
  3. Sharing data
  4. Disclosing or displaying data
  5. Data storage
  6. Data disposal
84
Q

this was introduced mainly so that the uk could implement Europes General Data Protection Regulation (GDPR)

A

what did the

Data Protection Act (DPA) 2018

introduce

85
Q

this describes it as

any information relating to an identified or identifiable living individual.

side note

Some observations of this are:

  1. It does not cover data about dead people
  2. It does not protect anonymised information
  3. Does not protect data about pets
  4. Etc
A

according to section 3(2) of the Data Protection Act (DPA)

what is personal data?

86
Q

this section is concerned with

unauthorised modification of computer material.

A

what is

section 3 of the Computer Misuse Act (CMA) 1990

concerned with

87
Q

what 3 criteria must be met to be

charged with section 1 of the Computer Misuse Act (CMA) 1990

A

to be charged under this section:

  1. the user intends to gain access to the computer; and
  2. they are not authorised to do so; and
  3. they are aware that their actions are not authorised by the computer’s owner.
88
Q

this can be described / summarised as:

Personal data shall be obtained only for one or more specified, explicit and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. (Open University, 2022)

A

how can

Principle 2, Purpose limitation

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

89
Q

this is enforced by:

  1. Each member country is required to have a central supervisory authority (SA) which will oversee data protection.
  2. Companies that have more than 250 employees must have at least one data protection officer (DPA), whos responsibility is to develop protection methods for the personal data they process as well as ensuring they are compliant with the GDPR. (under the data protection act 1998 there was no requirement to hire a DPO)
  3. Companies are forced to report breaches to there supervisory authority (SA) within 72 hours of discovery (the data protection act 1998 encouraged this type of activity but it was not a requirement)
A

what 3 ways is

General Data Protection Regulation (GDPR) enforced

90
Q

who was the first person to discover

SQL injection (SQLi)

and what actions did he take

A

this was first discovered by

security expert Jeff Forristal.

upon discovery he had

attempted to warn microsoft about the issue

however, microsoft at the time saw it as no issue

91
Q

what actions did journalists

Robert Schifreen and stephen gold take on the prestel netwok

A

these two journalists used the username and password combo which had been seen used at a demonstartion to access the prestel network without authorisation

92
Q

what measures should be taken to protect

Pseudonymisation data

A

to protect this type of data:

  1. Encrypt data
  2. Seperate this data from the algorithm
  3. Seperate this data from the data it was created from
93
Q

this is a command written in a specialised language known as a query language and allows for entering, modifying or deleting data from a database

A

what is a

query

94
Q

what does

subsection 2(1) of the Computer Misuse Act (CMA) 1990

state

A

states that a crime has been committed under section 2 if they committed an offence under section 1 and intend to commit further crimes listed in Subsection 2(2)

95
Q

what is the maximum sentence under

Section 3 of the Computer Misuse Act (CMA) 1990

A

This section holds a punishment with up to 10 years in prison

96
Q

what rights of erasure does the General Data Protection Regulation (GDPR) allow for

A

this allows an individuals data to be removed from a computer if:

  1. it was acquired via unlawful methods
  2. the privacy of the individual is seen as more important than the interests of the organisation holding the data
97
Q

the claim that Robert Schifreen and fellow journalist stephen gold made during their appeal was that

the act they were charged under was never meant to be used in such a case as theirs

the judge agreed with this claim and dropped all charges in 1988

A

what claim did journalists Robert Schifreen and fellow stephen gold make during their appeal and did the judge agree

98
Q

name two actions taken on a computer that would be chargeable under

Section 3 of the Computer Misuse Act (CMA) 1990

A

for you to be charged with this section some actions might be:

  1. Denial of service
  2. Introducing malware
99
Q

if

multiple parameters and their values are contained within a query string

how are they separated

A

when this occurs within the query string they are separated by ampersands (&)

100
Q

what 4 actions does an

SQL injection (SQLi)

allow

A

this allows:

  1. Unauthorized access to a database
  2. Viewing restricted access of a database
  3. Changing or deleting the contents of the database
  4. reconnoitre a site before performing a serious attack
101
Q

what are the 4 rules for data processing that are given under

Principle 1, Lawfulness, fairness and transparency

of the

General Data Protection Regulation (GDPR)

Data Protection Principles

A

from this it says that:

  1. Organisations must have a lawful basis upon which allows them to process data
  2. The data they hold must not be used to break other laws, such as copyright, contract or tax laws
  3. The data they hold must be used fairly and not have negative or unexpected effects on the data subject (this rule may be ignored if it is in the public interest such as police using data as part of their investigation)
  4. There must be up front clarity about how data will be used
102
Q

in october 2015 what type of attack was talk talk subject to

A

in october 2015 talk talk had been a victim of an

SQL injection (SQLi) attack

103
Q

to prevent this the following can be implemented:

  1. Ideally error messages are turned off entirely for a public facing database
  2. error messages are logged to a local file for public facing database
  3. srror messages are only to be used for offline development of a database
A

to prevent an

error-based SQLi

what 3 actions can be taken

104
Q

in october 2015 what

data was stolen from talk talk

A

from this company attackers stole:

  1. 157,000 customer accounts were stolen, including information such as names and addresses, dates of birth, email and telephone details, as well as account information
  2. attackers stole complete bank or credit card records belonging to 16,000 customers
  3. partial banking details of a further 28,000 customers
105
Q

this is the Supervisory Authority (SA) for the U.K which oversees and enforces the General Data Protection Regulation (GDPR)

Unlike the computer misuse act, data protection breaches are not automatically investigated by the police or prosecuted in a court of law. Instead it is the role of this Supervisory Authority (SA)

A

what is the

Information Commisionoers Office (ICO)

106
Q

this type of attack was first discovered in 1998

A

from which year was

SQL injection (SQLi)

first known about

107
Q

what was

Robert Schifreen and fellow journalist stephen gold

initially found guilty off

A

these two journalist were initially found guilty of forgery and counterfeiting

108
Q

the punishment for breaking this law is

  1. summary conviction of 1 year in prison and/or up to £5,000 fine
  2. conviction of indicement of 2 years in prison
A

what punishments does

section 1 of the Computer Misuse Act (CMA) 1990

109
Q

some types of this include:

  1. racial or ethnic origins
  2. political opinions
  3. religious or philosophical beliefs
  4. membership of a trade union
  5. health
  6. sexuality and sexual history
  7. genetics
  8. biometric data where used for ID purposes.
A

name some

types of sensitive data

110
Q

in the U.K this task is carried out by the

Information Commisioners Office (ICO)

A

in the uk who is the

supevisory authority (SA)

that enforces compliance with the

General Data Potection Regulation (GDPR)

111
Q

the

Data Protection Act (DPA) 2018

introduces europes general data protection regulation (GDPR) but what 3 other things did it incorporate into law

A

this also introduced into U.K law

  1. relations to national security
  2. duties of the Information Commissioner’s Office (ICO)
  3. EU Data Protection Directive 2016/680 (Law Enforcement Directive)
112
Q

states that a crime has been committed under section 2 if they committed an offence under section 1 and intend to commit further crimes listed in Subsection 2(2)

A

what does

subsection 2(1) of the Computer Misuse Act (CMA) 1990

state

113
Q

when

sanitising query strings by parsing the query string

what actions are carried out by the script responsible for the sanitisation

A

when this action is taken

the script responsible for turning query strings into queries will first assess the query string to see if it contains any characters that could correspond to an SQL query in a case that it does the script can:

  1. Translate the characters into safe characters
  2. Ignore the string entirely

Therefore ensuring that any query string containing an SQL query never reaches the database

114
Q

after the appeal ruling it was proposed by the courts that legislators would have to decide if new laws should be put in place to restrict the act of unauthorised access to a computer

A

what was proposed after the appeal ruling of robert shifreen and stephen gold

115
Q

what did the

Data Protection Act (DPA) 1984

introduce

A

this act meant that any public and private companies holding personal data must register with a data protection registrar who also enforced the law, however an individuals right to privacy was not covered by this piece of legislation

116
Q

how can

Principle7, Accountability

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

A

this can be described / summarised as:

(this is not listed as a data protection principle in the DPA 2018 but is a principle in the GDPR)

data processors and controllers must have technical and organisational measures in place to demonstrate compliance with the GDPR and DPA 2018 (Open University, 2022)

117
Q

This section holds a punishment with up to 10 years in prison

A

what is the maximum sentence under

Section 3 of the Computer Misuse Act (CMA) 1990

118
Q

this requires that:

  1. developers to think about the privacy of users data from the outset not just when the system is finished
  2. companies process as little data as possible
  3. companies only collect what they need to complete the task
  4. personal data is deleted when no longer needed
  5. data may not be passed to other organisations without permission
A

name 5 requirements that the

General Data Protection Regulation (GDPR)

places on developers / companies

119
Q

this delivered to its subscribers:

  1. news, train times, etc
  2. the first email service in the ukintroduced the worlds first online 3.
  3. banking service through the Bank of Scotland and the Nottingham Building Society
  4. It also introduce the worlds first online theatre ticket purchase and grocerry shopping
A

what content did prestel deliver to its subscribers

120
Q

when using this technique to prevent an SQL injection (SQLi) attack we can:

  1. restrict what data a web page can see from a database
  2. restrict what actions a web page can take on a database such as deleting or modifying

restrictions such as these ensures that even if a malicious query string is sent to a server it will never be executed by the database because of the lack of permissions

A

when

restricting permissions

to prevent an SQL injection (SQLi) attack what two actions can be put into place

121
Q

how does an

SQL injection (SQLi) attack

work

A

this works by replacing a legitimate query string with one that is malicious

122
Q

This is an amendment that has been made and states that it is a criminal act to develop or supply either software or data that may be used in a crime

A

what is

Section 3a of the Computer Misuse Act (CMA) 1990

123
Q

what is a

query

A

this is a command written in a specialised language known as a query language and allows for entering, modifying or deleting data from a database

124
Q

what is a

summary conviction

A

this type of conviction is where no jury is involved in the sentencing instead only a judge or majistrate handles the case

125
Q

in 2015 which months were talk talk attacked

A

talk talk were attacked in july, september and october of 2015

126
Q

from this it says that:

  1. Organisations must have a lawful basis upon which allows them to process data
  2. The data they hold must not be used to break other laws, such as copyright, contract or tax laws
  3. The data they hold must be used fairly and not have negative or unexpected effects on the data subject (this rule may be ignored if it is in the public interest such as police using data as part of their investigation)
  4. There must be up front clarity about how data will be used
A

what are the 4 rules for data processing that are given under

Principle 1, Lawfulness, fairness and transparency

of the

General Data Protection Regulation (GDPR)

Data Protection Principles

127
Q

what is

section 3 of the Computer Misuse Act (CMA) 1990

concerned with

A

this section is concerned with

unauthorised modification of computer material.

128
Q

this was first discovered by

security expert Jeff Forristal.

upon discovery he had

attempted to warn microsoft about the issue

however, microsoft at the time saw it as no issue

A

who was the first person to discover

SQL injection (SQLi)

and what actions did he take

129
Q

how does the General Data Protection Regulation (GDPR) treat

Pseudonymisation data

A

the General Data Protection Regulation (GDPR) treats this as if it were any other personal data

130
Q

does

turning off error messages

stop an SQL injection (SQLi) attack

A

NO taking this action on a databse does not stop an SQL injection (SQLi) attack

131
Q

This is another amendment which has been made to the Computer Misuse Act (CMA) 1990. it covers the most serious of computer crimes where human life has been has been harmed such as:

  1. Disrupting food,water or energy supplies
  2. Disrupting communication or transport networks
  3. Damage or disrupt healthcare
A

what is

Section 3za of the Computer Misuse Act (CMA) 1990

132
Q

what is an

error-based SQLi

A

this is a type of attack in which the error messages produced by the database are used to understand the structure and potential weaknesses of a database. this is often implemented as a first stage of an attack

133
Q

how can

Principle 4, Accuracy

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

A

this can be described / summarised as:

Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate or misleading is erased or rectified without delay. (Open University, 2022)

134
Q

in the uk who is the

supevisory authority (SA)

that enforces compliance with the

General Data Potection Regulation (GDPR)

A

in the U.K this task is carried out by the

Information Commisioners Office (ICO)

135
Q

this can be described / summarised as:

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. (Open University, 2022)

A

how can

Principle 3, Data minimisation

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

136
Q

this can be described / summarised as:

The sixth data protection principle is that personal data processed for any purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage). (Open University, 2022)

A

how can

Principle 6, Integrity and confidentiality (security)

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

137
Q

how can

Principle 5, Storage limitation

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

A

this can be described / summarised as:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any purposes. (Open University, 2022)

138
Q

if someone in the U.K is in breach of the General Data Protection Regulation (GDPR) what is the maximum punishment that can be placed on an organisation by the

Information Commisionoers Office (ICO)

A

if an organisation in the U.K breaches the General Data Protection Regulation (GDPR) this body may:

place punishments of €20 million or 4% of an organisation’s total worldwide annual turnover of the preceding financial year, whichever is higher. For not complying with this law

139
Q

this can be prevented by:

  1. update software
  2. restrict permissions
  3. turn off error messages
  4. sanitise query strings
A

name 4 methods that can

prevent SQL injection (SQLi) attacks

140
Q

what is the

Information Commisionoers Office (ICO)

A

this is the Supervisory Authority (SA) for the U.K which oversees and enforces the General Data Protection Regulation (GDPR)

Unlike the computer misuse act, data protection breaches are not automatically investigated by the police or prosecuted in a court of law. Instead it is the role of this Supervisory Authority (SA)

141
Q

under which 3 circumstances would Section 171(1) of the General Data Protection egulation (GDPR) allow for the

de-anonimisation of anonimised data

A

Section 171(1) of the General Data Protection egulation (GDPR) may allow this if:

  1. with a view to testing the effectiveness of the de-identification of personal data,
  2. without intending to cause, or threaten to cause, damage or distress to a person, and
  3. in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.
142
Q

this was a service that was capable of delivering thousands of pages each with different content to subscribing customers

A

what was

prestel

143
Q

this section is concerned with

unauthorised access to computer material

A

what is

section 1 of the Computer Misuse Act (CMA) 1990

concerned with

144
Q

what are the six

lawful bases upon which the Data Protection Act (DPA) 2018 allows organisations to process data

A

these include:

  1. consent - There must be clear and specific, up-front statement of consent on the part of the individual; and specific consent for each use of the data
  2. contract - one of the options of choice for many large organisations looking to circumvent the consent rules.
  3. Legal obligation - e.g. the organisation may need to process the data to comply with national security related obligations under a law like the Investigatory Powers Act of 2016.
  4. Vital interests - e.g. processing the data to protect someone’s life.
  5. Public task - e.g. duties carried out by a public authority in the public interest.
  6. Legitimate interests – the Information Commisioners Office (ICO) describes this as “the most flexible lawful basis for processing… where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact”.
145
Q

does the General Data Protection Regulation (GDPR)

prohibit the act of de-anonimizing data that has been anonimised

such as pseudonymisation data

A

YES

under Section 171(1) of the law states:

“It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data”

146
Q

the General Data Protection Regulation (GDPR) treats this as if it were any other personal data

A

how does the General Data Protection Regulation (GDPR) treat

Pseudonymisation data

147
Q

this can be described / summarised as:

(this is not listed as a data protection principle in the DPA 2018 but is a principle in the GDPR)

data processors and controllers must have technical and organisational measures in place to demonstrate compliance with the GDPR and DPA 2018 (Open University, 2022)

A

how can

Principle7, Accountability

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

148
Q

this is a specialised language that is used to communicate with databases. the most common is Structured Query Language (SQL)

A

what is a

query language

149
Q

This holds the highest of penalties under the Computer Misuse Act (CMA) 1990. with the least serious offences being 14 years in jail and the most serious being life in jail

A

what sentences does

Section 3za of the Computer Misuse Act (CMA) 1990

hold

150
Q

general data potection regulation (GDPR) ensures that each member state has a supervisory authority (SA) which oversees data protection

what is the name of the

U.Ks supervisory authority (SA)

A

in the U.K this position is taken by the

Information Commissioner’s Office (ICO)

151
Q

states that you can still be charged under section 2 even if there was no way that you could have been successful. Such cases might be where an attacker did not have the required skills, the system they tried to attack had preventative measures etc

A

what does

subsection 2(4) of the Computer Misuse Act (CMA) 1990

state

152
Q

states that further offences committed after gaining access to the computer (section 1) does not need to happen immediately to be charged. Simply if customer details were stolen and then six months later those details were used to commit faud to those users, you can still be charged.

A

what does

subsection 2(3) of the Computer Misuse Act (CMA) 1990

state

153
Q
  1. states that a bug or accidental damage cannot be prosecuted
  2. states that you do not actually need to cause harm and only the intent is enough
  3. states that any modification that is done does not need to be permanent to still be charged
A

under

Section 3 of the Computer Misuse Act (CMA) 1990

name 3 conditions that would/would not allow a conviction

154
Q

what are the 3 penalties that can be enforced under the

General Data Protection Regulation (GDPR)

A

under this the penalties are:

  1. Written warnings for relatively minor breaches, first offences or unintentional non-compliance.
  2. More serious failings require organisations to undergo regular data protection audits to ensure that they are brought into compliance with GDPR.
  3. The most serious incidents could result in fines of up to €20 million or 4% of an organisation’s annual global turnover – whichever is greater. (Previously the UK DPA 1998 had a stipulated maximum fine of just £500,000).
155
Q

this:

  1. Provide a set of rules concerning data that would be enforced by every E.U member state. This makes doing business much easier in cases where data processing of a certain type would have been illegal in one country but not another
  2. protects the data of EU citizens by place responsibility of protecting that data on to companies.
  3. protects EU citizens data even when it is not being processed in the EU since the law extends to any country processing EU citizens data
A

what 3 purposes does the

Geneal Data Protection Regulation (GDPR)

serve

156
Q

a web page can usually be implemented as a template which can

have data entered into it depending on the situation such as who is logging in

A

how do

databases allow webpages to be dynamic in nature

and at the same time avoids creating millions of different web pages for each user

157
Q

from which year was

SQL injection (SQLi)

first known about

A

this type of attack was first discovered in 1998

158
Q

this act is concerned with unautharised access or modification to a computer as well as any crimes carried out with a computer and/or threats to life through use of a computer

A

what is the

computer misuse act (CMA) 1990

concerned with

159
Q

this includes:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability
A

what are the 7

Data Protection Principles

included in article 5 of the General Data Protection Regulation (GDPR)

160
Q

under this the penalties are:

  1. Written warnings for relatively minor breaches, first offences or unintentional non-compliance.
  2. More serious failings require organisations to undergo regular data protection audits to ensure that they are brought into compliance with GDPR.
  3. The most serious incidents could result in fines of up to €20 million or 4% of an organisation’s annual global turnover – whichever is greater. (Previously the UK DPA 1998 had a stipulated maximum fine of just £500,000).
A

what are the 3 penalties that can be enforced under the

General Data Protection Regulation (GDPR)

161
Q

what was

prestel

A

this was a service that was capable of delivering thousands of pages each with different content to subscribing customers

162
Q

this allows an individuals data to be removed from a computer if:

  1. it was acquired via unlawful methods
  2. the privacy of the individual is seen as more important than the interests of the organisation holding the data
A

what rights of erasure does the General Data Protection Regulation (GDPR) allow for

163
Q

this is a type of attack in which the error messages produced by the database are used to understand the structure and potential weaknesses of a database. this is often implemented as a first stage of an attack

A

what is an

error-based SQLi

164
Q

what 3 ways is

General Data Protection Regulation (GDPR) enforced

A

this is enforced by:

  1. Each member country is required to have a central supervisory authority (SA) which will oversee data protection.
  2. Companies that have more than 250 employees must have at least one data protection officer (DPA), whos responsibility is to develop protection methods for the personal data they process as well as ensuring they are compliant with the GDPR. (under the data protection act 1998 there was no requirement to hire a DPO)
  3. Companies are forced to report breaches to there supervisory authority (SA) within 72 hours of discovery (the data protection act 1998 encouraged this type of activity but it was not a requirement)
165
Q

what happened during the year of

1981

concerning uk data protection

A

what year did

Britain s first data privacy laws were introduced to come in line with the EU. The laws were introduced to protect personal data from being exported from a country with strong privacy rules to one with lack

166
Q

which month of 2015 saw the hardest hitting attack on talk talk

A

the worst attack that talk talk saw in 2015 was in october

167
Q

what did the

Data Protection Act (DPA) 2018

introduce

A

this was introduced mainly so that the uk could implement Europes General Data Protection Regulation (GDPR)

168
Q

name 4 methods that can

prevent SQL injection (SQLi) attacks

A

this can be prevented by:

  1. update software
  2. restrict permissions
  3. turn off error messages
  4. sanitise query strings
169
Q

when taking this action the script that tuns query strings into queries will ensure that it only accepts:

  1. queries with a fixed amount of parameters
  2. Queries with parameters of certain types

Example

If the script only expects two parameters (name and date) and those parameters must be formatted a certain way or be a certain type then any other query strings that it encounters will be discarded and not passed to the database

A

what happens when

restrictions are placed on query strings

to prevent an SQL injection (SQLi) attack

170
Q

this can be described / summarised as:

Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate or misleading is erased or rectified without delay. (Open University, 2022)

A

how can

Principle 4, Accuracy

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

171
Q

under

Section 3 of the Computer Misuse Act (CMA) 1990

name 3 conditions that would/would not allow a conviction

A
  1. states that a bug or accidental damage cannot be prosecuted
  2. states that you do not actually need to cause harm and only the intent is enough
  3. states that any modification that is done does not need to be permanent to still be charged
172
Q

in the aftermath of the october 2015 attack on talk talk what happened with the customer data that was stolen

A

customers data was posted online and some customers were even receiving fraudulent calls such as:

  1. Being tricked into making payments
  2. Giving away more banking information
  3. Tricking the user to install malware on to their own systems
173
Q

how can

Principle 2, Purpose limitation

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

A

this can be described / summarised as:

Personal data shall be obtained only for one or more specified, explicit and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. (Open University, 2022)

174
Q

This lists the types of crimes covered by section 2 such as: fraud, forgery, theft and criminal damage

A

what does

subsection 2(2) of the Computer Misuse Act (CMA) 1990

state

175
Q

name some

types of sensitive data

A

some types of this include:

  1. racial or ethnic origins
  2. political opinions
  3. religious or philosophical beliefs
  4. membership of a trade union
  5. health
  6. sexuality and sexual history
  7. genetics
  8. biometric data where used for ID purposes.
176
Q

these two journalists used the username and password combo which had been seen used at a demonstartion to access the prestel network without authorisation

A

what actions did journalists

Robert Schifreen and stephen gold take on the prestel netwok

177
Q

what is

section 2 of the Computer Misuse Act (CMA) 1990

concerned with

A

this section is concerned with

unauthorised access intending to commit or assist the commission of further offences

178
Q

this was developed by the british post office in 1979 and eventually ceased its service in 1991

A

who developed prestel and what was its lifetime

179
Q

what year did

Britain s first data privacy laws were introduced to come in line with the EU. The laws were introduced to protect personal data from being exported from a country with strong privacy rules to one with lack

A

what happened during the year of

1981

concerning uk data protection

180
Q

what punishments does

section 1 of the Computer Misuse Act (CMA) 1990

A

the punishment for breaking this law is

  1. summary conviction of 1 year in prison and/or up to £5,000 fine
  2. conviction of indicement of 2 years in prison
181
Q

when this action is taken

the script responsible for turning query strings into queries will first assess the query string to see if it contains any characters that could correspond to an SQL query in a case that it does the script can:

  1. Translate the characters into safe characters
  2. Ignore the string entirely

Therefore ensuring that any query string containing an SQL query never reaches the database

A

when

sanitising query strings by parsing the query string

what actions are carried out by the script responsible for the sanitisation

182
Q

NO taking this action on a databse does not stop an SQL injection (SQLi) attack

A

does

turning off error messages

stop an SQL injection (SQLi) attack

183
Q

where does a

query string

begin within a

Uniform Resource Locator (URL)

A

this will begin after a question mark symbol (?) within the Uniform Resource Locator (URL)

184
Q

these include:

  1. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection or appropriate safeguards for the rights and freedoms of data subjects in relation to the processing of personal data; or there are special circumstances meaning the transfer is necessary.
  2. Personal data shall be processed in accordance with the rights of data subjects i.e. there must be respect for fundamental rights.

(Open University, 2022)

A

what are the two

overriding provisions

of the

General Data Protection Regulation (GDPR)

185
Q

what happens when a

server receives a query string

A

when it receives this it will:

  1. Extract the contents of the query string
  2. Generate and send a query to the database
186
Q

when it receives this it will:

  1. Extract the contents of the query string
  2. Generate and send a query to the database
A

what happens when a

server receives a query string

TM112: Block 3 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions